Transcript Digital IDs

Securing the Internet
Chapter 13
Learn how to…
• Define the security threats and attacks that
hackers use to gain unauthorized access
to network services and resources.
• List the Internet security safeguards that
protect networks by detecting intrusions
and defeating attacks.
• Define the methods for digitally signing
and encrypting network transmissions.
• Describe publishing a Web securely with
the SFTP protocol.
Identifying Internet
Security Issues
Security Risks
• Unauthorized access
• Data manipulation
• Service interruption
User-Level Issues
• Inside attacks from inside an
organization.
– Such attacks account for about two-thirds of
all security breaches.
Physical Access Security
• Keep equipment behind locked doors and
limit access to authorized personnel.
• Require employees to log off before
walking away from their workstations.
• Keep employees from writing their
passwords on slips of paper.
• Encourage employees to report suspicious
activity.
Network Security Threats
• Data interception
– Packet sniffers and network analyzers can
intercept data that moves across the network.
• Identity interception
– Usernames and passwords can cross the
network in clear text.
• Require employees to have passwords consisting
of a combination of characters and numbers.
• Avoid passwords consisting of information that can
be searched or guessed.
Network Security Threats
• Masquerading
– Occurs when unauthorized users assume
the privileges of an authorized user.
– IP address spoofing happens when an
intruder uses the IP address of a trusted
system.
• Replay attacks
– Occurs when a hacker uses a packet sniffer
to record a logon sequence and then plays
back the sequence at a later time.
Network Security Threats
• Social engineering attack
– Exploits human weaknesses to gain access
to the organization’s network.
• Intruders fake their identity to gain access or
information.
• Misuse of privileges
– Network administrators with high level of
system privileges can use their privileges to
gain access to information that they should
not access.
Identifying Assets
• Data tier information resources
– Any organization that conducts transactions has a
back office database that you do not want hacked.
• Server resources
– All types of servers may contain resources that need
to be protected.
• Network resources
– Protection from unauthorized access.
• Local workstations
– End-user workstations are prone to virus attacks.
Defending a Network
• Defending a network includes:
– A proactive pre-attack strategy
• List the threats.
• Identify the staff to defend against attacks.
– A reactive post-attack strategy
• Have a strategy for mobilizing the appropriate staff
to take corrective actions.
Viruses
• Boot record viruses spread through malicious
code that runs when the computer boots.
• A file infector virus occurs when malicious
code attaches to individual files, which
propagate primarily via e-mail attachments.
• A document or spreadsheet attached to an
e-mail can contain a macro virus.
– A macro is a command that executes a set of
instructions in a computer application.
Viruses
• A Trojan horse is malicious code that
masquerades as a desirable program.
• Crackers can embed malicious executable
code in Web pages via Java applets or
ActiveX controls, called embedded code.
• A worm can propagate across the Internet
and infect other computers by replicating.
Applying Internet Security
Safeguards
Best Practices
• Subscribe to a security newsletter that
keeps you apprised of the latest security
issues and threats.
• Use an automatic update service to install
the latest security patches.
• Identify the kinds of attacks to which your
network is prone.
Best Practices
• Audit the network for traces of these
attacks.
• Install software that can automatically
detect intrusions.
• Plan how to recover from network
disasters.
• Use firewalls to block non-trusted traffic or
processes.
Microsoft Newsletters
• Subscribe to Microsoft security newsletters
at
www.microsoft.com/technet/security/secne
ws/newsletter.htm
– Choose the link to subscribe.
– Follow the instructions to establish a .NET
Passport if necessary.
Microsoft Newsletters
Windows Update
• Microsoft runs a
Windows Update
Service that can
automatically
download the latest
security patches to
your computer.
– Start | Control Panel |
double-click System
icon | Choose
Automatic Updates tab
Defeating Attacks
• The most frequent attack is Denial of
Service (DoS), in which the attacker
seeks to consume so much of a server’s
resources that the host cannot respond to
legitimate requests.
• In a brute force attack or front door
attack, a cracker programs a computer to
look up words in a dictionary and generate
variants to guess a password.
Defeating Attacks
• Dumpster diving is the practice of looking
through trash for discarded records that can
display in clear text important information such
as account numbers, passwords, and social
security numbers.
• A trapdoor attack occurs when crackers find a
way into your computer by running diagnostic
tools that your staff may have left on the system
after troubleshooting some kind of problem.
Auditing and Detection
• Security auditing uses software to detect
attempts to compromise your assets.
• Set an audit policy to activate intrusion
detection on a Windows server.
– You can audit successes or failures of an
event.
Firewalls
• A firewall is a combination of hardware,
software, and security policies that block
certain kinds of traffic from entering or
leaving a network, subnet, or individual
host computer.
Firewall Strategies
• Packet filtering
– Works at OSI Layers 3 and 4 to inspect the
headers of all incoming and outgoing packets
to block transmissions based on source or
destination ports or IP addresses.
• Proxy servers and Network Address
Translation
– Help to keep internal addresses private and
hidden from attackers.
Firewall Strategies
• A circuit level gateway prevents the
establishment of end-to-end TCP
connections. Instead, the gateway
establishes a connection on behalf of an
inside host with an outside host.
Firewall Strategies
• An application level gateway is a type of
firewall that can scan packets for malicious
content spread through SMTP (mail),
HTTP (Web pages), FTP (file transfers),
DNS (attacks on name servers), or Telnet
(remote logon).
Firewall Strategies
• Stateful inspection can keep track of
when a port opens, what session is using
it, and how long the port stays open.
– If the firewall suspects a session has been
hijacked, the firewall can drop the session.
Firewall Topologies
•
•
•
•
Packet filtering firewall
Single-homed bastion host firewall
Dual-homed bastion host firewall
Screened subnet firewall with DMZ
Packet Filtering Firewall
• Uses a packet filter, which monitors the
headers of all incoming or outgoing
packets and can block transmissions
based on source or destination ports or IP
addresses.
– Operates at OSI layers 3 and 4.
Single-Homed Bastion
• A bastion host is a computer that sits on
the perimeter of a local network and
serves as an application-level gateway
between the external network and the
internal client workstations.
– A single-homed bastion host contains one
network card.
Single-Homed Bastion
Dual-Homed Bastion
• A dual-homed bastion firewall uses two
NICs (hence the term dual-homed) on
which IP forwarding is disabled, thereby
creating a complete physical break
between the internal and external
networks.
Dual-Homed Bastion
DMZ Screened-Subnet
• The screened-subnet firewall
establishes a demilitarized zone (DMZ)
by placing packet filtering routers on both
the Internet side and the private network
side of the bastion host. This makes it
impossible for insiders to communicate
directly over the Internet.
– The DMZ provides a secure location for the
network’s modem pool and the organization’s
public Web and FTP servers.
DMZ Screened-Subnet
Firewalls
• For more on firewalls, visit Microsoft’s
firewall page at
www.microsoft.com/technet/security/guida
nce/secmod155.mspx
• ZoneAlarm is a popular firewall product
that is available for free.
– Visit www.zonelabs.com
Transmitting Network Data
Securely
Encryption
• To encrypt means to encode the data stream by
manipulating the symbols with a set of rules
called an algorithm that makes the message
appear scrambled and unintelligible.
• To decipher the data, the person who receives
the message must have the encryption key,
which is the secret algorithm comprising the
rules used to encode the message.
Symmetric Cryptography
• Symmetric cryptography, also called
secret-key cryptography, uses the same
secret key for both encryption and
decryption.
Symmetric Standards
• Symmetric encryption standards include:
– Data Encryption Standard (DES)
– Triple DES (3DES)
– RC algorithms
• www.rsasecurity.com/rsalabs/faq
– International Data Encryption Algorithm
(IDEA)
• http://en.wikipedia.org/wiki/International_Data_Enc
ryption_Algorithm
– Advanced Encryption Standard (AES)
Asymmetric Cryptography
• A public key infrastructure (PKI) consists of a
certificate authority system that assigns each
user a digital certificate containing a key pair
consisting of a public key and a private key.
– The person sending a message uses the public key to
encrypt the message.
– The person receiving the message uses the private
key to decrypt it.
– Because the key that encrypts the message is
different from the key that decrypts it, this process is
called asymmetric cryptography.
Digital Signatures
• A digital signature is an identification
method that binds a document to the
possessor of a particular key by creating a
message digest and encrypting the digest
with the sender’s key.
– Verifies whether the message truly came from
the person who appears to have sent it, and
that it has not been altered on its way.
Digital Signature
Hash Encryption
• A one-way encryption method called hash
encryption creates the message digest.
– The message’s digital fingerprint.
Encryption Algorithms
• The two most commonly used hash
encryption algorithms include SHA-1 and
MD5.
– SHA-1 is the Secure Hash Algorythm which
takes a message up to 264 bits in length and
produces a 160-bit message digest.
– MD5 is the latest Message Digest algorithm
which creates a 128-bit message digest.
Digital IDs
• The term digital ID refers to an X.509
certificate containing a key pair that
consists of a public key and a private key.
• An X.509 certificate enables you to
digitally sign your mail and/or send mail
encrypted.
– The next few slides outline how to obtain a
digital ID to use with Microsoft Outlook.
Digital ID with Outlook
• Open Microsoft Outlook and then select
Tools | Options | Security tab.
• Click Get a Digital ID button, which will
take you to a Microsoft Web site listing
digital ID services.
• Use VeriSign for a 60-day free trial to get
a digital ID.
VeriSign
VeriSign
Digital ID with Outlook
• VeriSign will send you an e-mail within
one hour.
• Click continue to install the certificate.
• To activate your certificate, go back to the
Security tab in Outlook and check the
option to Add Digital Signature to Outgoing
Message and click the Settings button.
Digital ID with Outlook
• When you send an e-mail message,
Outlook informs you that the message is
being signed.
• When you receive a signed message, you
will see a header named Signed and a
Digital Signature button.
• You can also encrypt messages by
checking the option under the Security tab.
Cipher Types
• Algorithms designed to encrypt blocks of
text are called block ciphers.
• Stream ciphers operate at the byte
(character) level to encrypt real-time
communications.
– The most popular stream cipher is RC4.
• RC4 uses SSL, which is described on the next
slide.
SSL
• Secure sockets layer (SSL) is a
handshake protocol that defines how a
server establishes a secure session in
response to an end user’s request to
transact.
– SSL supports many encryption algorithms,
including RC2, RC4, IDEA, DES, and tripleDES.
SSL Handshake
• During this first part of the SSL handshake,
the server sends its certificate and cipher
preferences, which the client uses to create
a master key.
• After encrypting the master key with the server’s
public key, the client sends the encrypted master
key to the server, which authenticates itself to
the client via the master key.
• For the remainder of the session, the client and
the server encrypt subsequent communications
with keys derived from the master key.
TLS Handshake
• The IETF is working on a successor to SSL
called transport layer security (TLS).
• When you visit a Web site running secure over
SSL or TLS, the URL in the Web address field
begins with https instead of http.
• During the secure session, the browser displays
the Security icon in the browser’s status bar.
IPSec
• Internet Protocol Security (IPSec) is a
framework of open standards that use
cryptography services to ensure private,
secure communications over IP networks.
IPSec Process
VPN
• A virtual private network (VPN) is a
private data network that uses the public
Internet’s telecommunication
infrastructure.
– Privacy is achieved through the use of
session keys and an HTTP tunneling protocol
over which encrypted data passes.
VPN Types
• A VPN can connect two private networks
using the Internet.
• A VPN can be used to allow a remote user
to connect to the corporate network.
• IPSec is used with VPNs.
PGP
• Pretty Good Privacy (PGP) uses
encryption, data compression, and digital
signatures to provide secure transmission
of e-mail messages and other kinds of
store-and-forward file systems.
– For more information, visit
http://www.ietf.org/html.charters/openpgpcharter.html
Publishing a Web Securely
SSH
• The secure shell (SSH) protocol enables
two computers to negotiate and establish
a secure connection that uses encryption.
• Tunneling allows other kinds of TCP/IP
connections to funnel through the SSH
connection.
Securing FTP
• Secure FTP (SFTP) File Transfer
– Search the Internet for sftp clients that may be
used to publish your Web pages to a Web
server securely using SSH.
– A man in the middle (MITM) attack is one in
which the attacker intercepts a message en
route.